BIB-VERSION:: CS-TR-v2.0
ID:: ncstrl.dartmouthcs//TR2011-707
ENTRY:: October 10, 2011
ORGANIZATION:: Dartmouth College, Computer Science
REQUESTED-BY:: ac@cs.dartmouth.edu
REQUESTED-FOR:: cja
REQUESTED-DATE:: Tue Oct 4 21:43:08 EDT 2011
TITLE:: Anomaly Detection in Network Streams Through a Distributional Lens
TYPE:: Technical Report (paper)
REVISION:: 1
AUTHOR:: Arackaparambil, Chrisil
DATE:: September 2011
RETRIEVAL:: For a paper copy, email
RETRIEVAL:: For a paper copy, write to
Technical Report Librarian
Department of Computer Science
Dartmouth College
6211 Sudikoff Laboratory
Hanover, NH 03755-3510
USA
RETRIEVAL:: PDF at http://www.cs.dartmouth.edu/reports/TR2011-707.pdf
ABSTRACT::
Anomaly detection in computer networks yields valuable information on
events relating to the components of a network, their states, the users
in a network and their activities. This thesis provides a unified
distribution-based methodology for online detection of anomalies in
network traffic streams. The methodology is distribution-based in that
it regards the traffic stream as a time series of distributions
(histograms), and monitors metrics of distributions in the time series.
The effectiveness of the methodology is demonstrated in three
application scenarios. First, in 802.11 wireless traffic, we show the
ability to detect certain classes of attacks using the methodology.
Second, in information network update streams (specifically in
Wikipedia) we show the ability to detect the activity of bots, flash
events, and outages, as they occur. Third, in Voice over IP traffic
streams, we show the ability to detect covert channels that exfiltrate
confidential information out of the network. Our experiments show the
high detection rate of the methodology when compared to other existing
methods, while maintaining a low rate of false positives. Furthermore,
we provide algorithmic results that enable efficient and scalable
implementation of the above methodology, to accomodate the massive data
rates observed in modern infomation streams on the Internet.
Through these applications, we present an extensive study of several
aspects of the methodology. We analyze the behavior of metrics we
consider, providing justification of our choice of those metrics, and
how they can be used to diagnose anomalies. We provide insight into the
choice of parameters, like window length and threshold, used in anomaly
detection.
NOTE::
Ph.D Dissertation. Advisor: Amit Chakrabarti
END:: ncstrl.dartmouthcs//TR2011-707